Protect Your Network from the Nimda Worm

09/21/2001

The Nimda worm has spread wildly, infecting many Microsoft Windows 9x,
ME, NT 4.0, and 2000 machines, and its network scans have brought some
networks to their knees.

It was first reported on September 18th in
the morning almost one week after the terrorist attack on the World
Trade Center and the Pentagon. There is however no known or reported
connection between the two attacks. The worm has also been known as
W32/Nimbda-A, Concept5, Code Rainbow, and Minda. The word Nimda could
be admin spelled backwards.

The damages inflicted on machines infected by the Nimda worm include:

degrading network performance due to the worm's aggressive scanning for new machines to infect;

activating a guest account and granting it administrative permissions;

giving the world full access to the c: drive;

replacing executables with infected versions (virus-like
behavior);

adding Javascript code to HTML, HTM, and ASP files
(infecting them);

deleting the security restrictions on network
shares;

filling up system drives; and

changing the machine's start-up so
that the worm will restart on a reboot.

The Nimbda worm uses four methods to spread itself to new machines:

email,

an attack against vulnerabilities in the Microsoft IIS web
server,

an attack against Microsoft Internet Explorer when browsing
web pages, and

infecting executable files on the local drive and
network shares,as a virus would.

The details on these attacks are listed below.

Have you encountered Nimda? What other methods should system administrators rely on to protect their networks?Post your comments

Email. The Nimda worm spreads itself using email by exploiting a vulnerability in the Microsoft Internet Explorer libraries used by Outlook and Outlook Express to parse and display HTML code. The email has the worm as an attachment that is marked as an audio/x-wave MIME type. When this message is viewed or previewed,
Outlook or Outlook Express will execute
it and infect the machine.

Servers. The worm uses several methods to attack web servers. It scans the Internet looking for machines running Microsoft IIS and checks these machines for a back door installed by the Code Red II worm. If it fails to find the back door, it will try to exploit a series of IIS vulnerabilities. The vulnerabilities the worm attempts to exploit include:

Browsing. Once a machine is infected, a piece of Javascript code is added to all HTML, HTM, and ASP files that will cause a file named readme.eml to be downloaded automatically when the page is browsed using a vulnerable version of Microsoft Internet Explorer. This downloaded file will then be executed and will infect the machine.

Virus. The worm also has virus-like capabilities. It will search local
drives and shares on the network, infecting executables and copying
itself using names such as richd20.dll, admin.dll, and readme.exe.
These copies and executable files will infect or re-infect machines
when they are executed. If executed with the parameter of dontrunold
on the command line an infected file will execute only the worm.

Each of the vulnerabilities that the Nimda worm exploits to spread
itself has been announced previously on mailing lists and other sources and patches announced by Microsoft.

Each of the vulnerabilities that the Nimda worm exploits to spread
itself has been announced previously on mailing lists and other
sources and patches announced by Microsoft. For example the "Microsoft IIS 4.0/5.0 File Permission Canonicalization Vulnerability" was announced August 10, 2000. This should be a lesson to all administrators about the need to keep patches for security problems up to date. While it is true that keeping machines patched will not prevent all exploits, it would have prevented successful exploitation of a machine by this worm.

Determining if your network is infected

Signs that a machine has been scanned by the worm are lines in the
logs such as:

/scripts/..%5c../winnt/system32/cmd.exe

/msadc/..%5c../..%5c../..%5c/..

/scripts/..%5c../winnt/system32/cmd.exe

GET /MSADC/root.exe HTTP/1.0"

Email systems will have transfered email with attachments
named readme.exe. Signs of infection of web pages will be the
addition of the infecting Javascript in the web pages.

Defensive measures

Vendors of anti-virus and intrusion detection tools have released
updates and signatures. Administrators and owners of Microsoft 9x,
ME, NT 4.0, and 2000 machines and network administrators should update
their tools and use them to detect and clean infected machines. It is
also necessary to apply the appropriate patches or upgrades to Internet
Explorer and IIS.

An interesting and creative defense developed against the Code Red
worm but useful for this worm is LaBrea. LaBrea creates
what the author calls a tarpit or a sticky honeypot. It listens on
unused IP addresses on a network and will answer connection attempts
in a way designed to slow a scan by an attacking machine and cause it
to get stuck. One thing to watch for is that LaBrea will by default
take up all unused IP addresses on its subnet (what it decides are
unused IP addresses). It is written to try and protect against
problems with other machines on the network but there is still a
potential for problems.

This worm is very dangerous and difficult to eradicate. The multiple
infection vectors make it very difficult to stop from spreading and the
multitude of machines with unpatched vulnerabilities give it a fertile
field to grow in. It is the first or one of the first worms that
infects not only the client but also the server machines. Patching
all vulnerable machines and cleaning infected machines will be
required to control the spread of the Nimda worm. Keeping our
machine's patches as up to date as possible will prevent problems in
the future.